{
  lib,
  config,
}: let
  keys = import ../../variables/keys.nix;
in {
  mkUser = args: (
    lib.attrsets.recursiveUpdate {
      isNormalUser = true;
      extraGroups = [
        "docker"
        "wheel"
        "libvirtd"
        "networkmanager"
        "vboxusers"
        "users"
        "input"
        "audio"
        "video"
        "cdrom"
        "adbusers"
      ];
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;

      # TODO: investigate why this secret cannot be found
      # openssh.authorizedKeys.keyFiles = [
      #   config.sops.secrets.sharedSshKeys-steveej.path
      # ];
    }
    args
  );

  disk = rec {
    # TODO: verify the GPT PARTLABEL cap at 36 chars
    shortenGptPartlabel = partlabel: (builtins.substring 0 36 partlabel);

    # LVM doesn't allow most characters in VG names
    # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+]
    volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId;

    # This is important at install-time
    bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId;

    # These are guaranteed by LVM
    rootFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/root";
    swapFsDevice = diskId: "/dev/" + (volumeGroup diskId) + "/swap";

    # Cannot use the disk ID here because might be different at install vs. runtime.
    # Example: MMC card which is used in the internal reader vs. USB reader
    bootFsDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId));
    bootLuksDevice = diskId:
      "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId));
    luksName = diskId: (volumeGroup diskId) + "pv";
    luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId);
    lvmPv = diskId: encrypted:
      if encrypted == true
      then luksPhysicalVolume diskId
      else bootLuksDevice diskId;
  };
}